CLAIMS: 

1. A distributed routing device comprising: 

means for routing subscriber traffic flow between at least two wireless 
access networks and an IP network, and 

means for generating at least one instance for executing a security 
function on a subscriber traffic flow, so that physically one security instance for 
subscribers of at least two wireless access networks is present and logically at 
least one of the at least two wireless access networks has a respective security 
instance. 

2. The distributed routing device according to claim 1, wherein at least 
one logical part of the security instance is associated with a context of a 
respective one of the wireless access networks and comprises an interface with 
the respective wireless access network. 

3. The distributed routing device according to claim 1, further 
comprising associating means for associating the subscribers with the at least 
two wireless access networks. 

4. The distributed routing device according to claim 1, further 
comprising reorganizing means for reorganizing a context from a first logical 
part of the security instance associated with a first wireless access network of 
the at least two wireless access networks to a second logical part of the security 
instance associated with a second wireless access network of the at least two 
wireless access networks. 

5. The distributed routing device according to claim 4, wherein the 
reorganizing means is configured to reorganize the context from the first logical 
part to the second logical part in case of a handover of a subscriber from the first 
wireless access network to the second wireless access network. 
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6. The distributed routing device according to claim 1, wherein the 
security function comprises at least one of a Virtual Private Network, routing 
and firewall function. 

7. The distributed routing device according to claim 1, wherein the 
distributed routing device is located at a provider edge of the IP network. 

8. A method for routing subscriber traffic flow in a distributed routing 
device between at least two wireless access networks and an IP network, the 
method comprising the steps of: 

providing at least one instance for executing a security function on the 
subscriber traffic flow by logically separating the at least one instance for at 
least two wireless access networks, so that physically one security instance for 
subscribers of the at least two wireless access networks is present and logically 
at least one of the at least two wireless access networks has a respective security 
instance. 

9. The method according to claim 8, further comprising the steps of: 
associating at least one logical part of the security instance with a context 

of a respective one of the wireless access networks; and 

providing an interface between the at least one logical part and the 
respective associated wireless access networks. 

10. The method according to claim 9, further comprising the step of: 
modifying the context in the at least one logical part by the associated 

wireless access network via the respective interface. 

1 1 . The method according to claim 10, further comprising the steps of: 
detecting whether the context to be modified comprises a security code; 

and 
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in case the context comprises the security code, inhibiting the step of 
modifying the context. 

12. The method according to claim 8, further comprising the step of: 
associating the subscribers with the wireless access networks. 

13. The method according to claim 8, further comprising the step of: 
reorganizing a context from a first logical part of the security instance 

associated with a first wireless access network of the at least two wireless access 
networks to a second logical part of the security instance associated with a 
second wireless access network of the at least two wireless access networks. 

14. The method according to claim 13 5 wherein the reorganizing step 
comprises reorganizing the context from the first logical part to the second 
logical part in case of a handover of a subscriber from the first wireless access 
network to the second wireless access network. 

15. The method according to claim 14, wherein the reorganizing step 
comprises reorganizing a handover context pertaining to the subscriber handed 
over from the first wireless access network to the second wireless access 
network. 

16. A network node in a wireless access network for routing subscriber 
traffic flow to and from an IP network, the network node comprising: 

a connection for connecting a network node to a distributed routing 
device for routing traffic flow to and from an IP network, wherein the 
distributed routing device is configured to route subscriber traffic flow between 
at least two wireless access networks and an IP network, and the distributed 
routing device comprises at least one instance for executing a security function 
on a subscriber traffic flow, so that physically one security instance for 
subscribers of at least two wireless access networks is present and logically at 
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least one of the at least two wireless access networks has a respective security 
instance, wherein at least one logical part of the security instance is associated 
with a context of a respective one of the wireless access networks and comprises 
an interface with the respective wireless access network; and 

the network node comprises modifying means for modifying the context 
in the at least one logical part of the security instance associated with the 
respective one of the wireless access network via a respectively provided 
interface. 

17. A network system comprising: 

at least two wireless access networks and a distributed routing device for 
routing subscriber traffic flow between the at least two wireless access networks 
and an IP network, wherein the distributed routing device is configured to route 
subscriber traffic flow between at least two wireless access networks and an IP 
network, and the distributed routing device comprises at least one instance for 
executing a security function on a subscriber traffic flow, so that physically one 
security instance for subscribers of at least two wireless access networks is 
present and logically at least one of the at least two wireless access networks has 
a respective security instance. 
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